Immersive Labs writeup (practice writeup)

Quite recently, I did Immersive Labs' Packet Analysis - Wireshark and this is my first practice writeup. 

"How many cipher suites are supported in TLSv1.3 within this capture?" (4 suites)



First, open up the remote VM named "Understanding Wireshark". From there, head to folder "labfiles" > "tls_1_3.pcapng"



Wireshark search term: "tls.handshake.type==1". 

Went Transport Layer Security section (second screenshot) > Cipher suites



Scrolling down, found Cipher Suites section: Cipher Suites (4 suites)







"Which cipher suite is used in the current capture?" (TLS_AES_256_GCM_SHA384)



Here I did guesswork; the first cipher is the latest cipher used in the current capture (which I got lucky)



After further research, there was an article that talked about SSL/ TLS handshake. 


The article for reference:

https://www.linuxbabe.com/security/ssltls-handshake-process-explained-with-wireshark-screenshot

(Huh.... So this is what I am supposed to do. Go to the packet that has the Server Hello data. Something new I learnt today! We'll get there in a bit)



Following the article's steps, I went to the second packet. Reading its comments, that must be the Server Hello data!



Scrolled down to the Cipher Suite section, and indeed found Cipher Suites section: Cipher Suites TLS_AES_256_GCM_SHA384







"What is the value of the 'Client Random' string of bytes?" (8147c166d51bfa4bb5e02ae1a787131d11aac6cefc7fab94c862adc8ab0cddcb)



This one's pretty straightforward, compared to the other challenges. Head back to packet with comment "Client Hello" > Transport Layer Security > Scroll until "Random"



Found Random section: 8147c166d51bfa4bb5e02ae1a787131d11aac6cefc7fab94c862adc8ab0cddcb





"What is the value of the 'Server Random' string of bytes?" (3964dbec5022bfbd0783a15f8fd02518c8cf05be901c389b8a284639e37cdb66)



Likewise with this one, head to the packet with "Server Hello" comment > Transport Layer Security > Scroll until "Random"


Found Random section: 3964dbec5022bfbd0783a15f8fd02518c8cf05be901c389b8a284639e37cdb66

























































Comments

Post a Comment